Recursive look-ups question. (High loads/bfd)

azz

Member
Jun 23, 2003
18
0
151
My server loads are shooting through the roof, and I think it is because of hundreds of these:

Nov 26 17:29:32 myserver named[7409]: lame server resolving '35.186.182.76.in-addr.arpa' (in '182.76.in-addr.arpa'?): $
Nov 26 17:29:32 myserver named[7409]: lame server resolving '8.24.133.193.in-addr.arpa' (in '24.133.193.in-addr.arpa'?$
Nov 26 17:29:32 myserver named[7409]: lame server resolving '35.186.182.76.in-addr.arpa' (in '182.76.in-addr.arpa'?): $
Nov 26 17:29:32 myserver named[7409]: lame server resolving '4.5.91.170.in-addr.arpa' (in '5.91.170.in-addr.arpa'?): 1$
Nov 26 17:29:32 myserver named[7409]: lame server resolving '35.186.182.76.in-addr.arpa' (in '182.76.in-addr.arpa'?): $
Nov 26 17:29:32 myserver named[7409]: lame server resolving '4.5.91.170.in-addr.arpa' (in '5.91.170.in-addr.arpa'?): 1$
Nov 26 17:29:32 myserver named[7409]: lame server resolving '4.5.91.170.in-addr.arpa' (in '5.91.170.in-addr.arpa'?): 1$
Nov 26 17:29:32 myserver named[7409]: lame server resolving '8.24.133.193.in-addr.arpa' (in '24.133.193.in-addr.arpa'?$
Nov 26 17:29:32 myserver named[7409]: lame server resolving '4.5.91.170.in-addr.arpa' (in '5.91.170.in-addr.arpa'?): 1$
Nov 26 17:29:33 myserver named[7409]: lame server resolving '4.5.91.170.in-addr.arpa' (in '5.91.170.in-addr.arpa'?): 1$
Nov 26 17:29:33 myserver named[7409]: lame server resolving '8.24.133.193.in-addr.arpa' (in '24.133.193.in-addr.arpa'?$
Nov 26 17:29:33 myserver named[7409]: lame server resolving '4.5.91.170.in-addr.arpa' (in '5.91.170.in-addr.arpa'?): 1$
Nov 26 17:29:33 myserver named[7409]: lame server resolving '4.5.91.170.in-addr.arpa' (in '5.91.170.in-addr.arpa'?): 1$
Nov 26 17:29:33 myserver named[7409]: lame server resolving '4.5.91.170.in-addr.arpa' (in '5.91.170.in-addr.arpa'?): 1$
Nov 26 17:29:33 myserver named[7409]: lame server resolving '8.24.133.193.in-addr.arpa' (in '24.133.193.in-addr.arpa'?$
Nov 26 17:29:33 myserver named[7409]: lame server resolving '8.24.133.193.in-addr.arpa' (in '24.133.193.in-addr.arpa'?$
Nov
I have done lots of searches here and my named.conf already has:


acl "trusted" {
my.ip;
my.ip2;
my.ip3;
my.ip4;
127.0.0.1;
};


options {
directory "/var/named";
version "not currently available";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

What I have noticed now twice, is the server loads go up and up an up, and then BFD kicks in and then they start to go down... could it be some kind of dos attack or similar? The loads hit around 40/50.

Additionally my sites report an error once a day or so, saying they have lost connection to mysql, or mysql server has gone away. Could these all be connected? I have recompiled apache with the latest php and mysql, and updated cpanel software etc, but this is still happening... :-(

Any help greatly appreciated.
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
My server loads are shooting through the roof, and I think it is because of hundreds of these:
It is very difficult to say, if your server is under attack! and if yes, what kind of attack. To understanding attack techniques, go to: http://www.servertune.com/kbase/security/attacks.html
You also need to make sure that you don't have a "runaway script" which can continuously loop, dragging down your server's resources. Type this command at the prompt to see the processes running when load is high:
ps auxfww |more
 

azz

Member
Jun 23, 2003
18
0
151
Hi Andy, thanks for the link.

While it tells you about the different kind of attacks, it doesn't really say anything on how you can identify them...?

Does BFD keep a log? Do you know the command I need to access it? Maybe it will have some clues?

Regarding the recursive look-ups, as the settings in my named.conf essentially has disabled them, why do they still show in my log file? (as quoted in my post above). I'm just wondering, could the logging itself be causing the loads to go up? And why are there so many requests in the same 'second'? Is that normal?

Thanks for your help.
 
Last edited:

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,221
4
193
Minneapolis, MN
Does BFD keep a log? Do you know the command I need to access it? Maybe it will have some clues?
BFD log file can be found at: /var/log/bfd_log

I'm just wondering, could the logging itself be causing the loads to go up?
It's perfectly normal to have 'spikes' in your Server Load. Peak visitor times, log processing, database backup scripts, automated cron jobs - all can cause 'spikes' in your server load. It's when the server load is constantly above 5.00 - that's the time to start digging for clues. Having said that and within the context of the information you provided, it is really hard to say what is the real cause of server high load without looking into the server. Hope this helps!
 

azz

Member
Jun 23, 2003
18
0
151
Hi Andy - thanks for your help.

If I get to the bottom of it (or need further help!) I'll post an update :)

The server loads rarely hit 1 - it's just been the odd time they've been shooting up to the 50's and both times I've seen it happen, I've seen BFD show up in top stats and immediately the loads start to go down - which is what makes me think it's some form of attack..